Tuesday, September 28, 2010

PF Block Report (Perl Script) V2

I’ve been running PF Blocked Report script for well over a month on my firewalls and have made a few improvements. Version 1.0 of the script didn’t take into account legitimate blocked traffic (e.g. FIN ACK web server traffic). So I modified the tcpdump command to only look for TCP with only SYN flag set, ICMP, and UDP traffic. Additionally, I added general reporting for outbound hosts. The script is designed to be ran as a cron job, right before the log rotates. The size of your report will depend of what numbers you choose for the blocked limits. I’m using 100 as the inbound threshold to limit the size of my reports and taking into consideration even a quick NMAP scan will create well over a thousand entries it should catch port scans.

#load hash to get unique blocked in IPs#IP address is the hash key and 1 is value for all

%blockedIPs = map { $_ => 1 } @blockTemp;

#find how many blocked entries per blocked in IP#add that to the value of the hash

foreach my $key (keys(%blockedIPs)) {

my $pkt = 0; my $host = $key;

foreach my $tmpip(@blockTemp) { if ($host eq $tmpip) { $pkt++; } }

$blockedIPs{$key} = $pkt;}

#look for blocked IPs that are over the bad entries limit#then go back through logfile and check to see how many entries #have those IPs as source with pass in or destination with pass out. #then report formatting check based upon length of IP address